Multiple Security Strings How To Guide

From Swivel Knowledgebase
Jump to: navigation, search


Overview

Swivel allows multiple One Time Code or security strings to be sent by different transports. Each of the security strings must be used in order. With Swivel 3.6 a new feature was introduced to tell the user which security string to use for authentication. The user would typically enter their username, and click on a button to find which index number should be used. The corresponding security string should be used for calculating the One Time Code.

For multiple security strings used within the Mobile Apps see Mobile Security String Index


Prerequisites

Swivel 3.6 onwards


Dual Channel String Index

Configuring the Swivel server for Dual Channel Index

Select the required transport and set the required number of security strings to be sent to the user.

Note: For SMS delivery, there is a maximum number of characters SMS message can transmit in one text. If a long header is used then this may reduce the number of Security strings. Typically 1 SMS message can carry 4 Security Strings or 10 security strings across 2 SMS messages. Usually the mobile phone reassembles SMS messages into one message.

It is possible to have differing transports for different groups of users with differing numbers of security strings or One Time Codes.


Transport Multiple Strings.JPG


Allow session request by Username for Dual Channel Communication


PINsafe 37 Dual Channel.JPG



Configuring the Access Device for Dual Channel Index

Dual Channel Index Image

The access device must be modified to tell the user which security string is required and is known as the 'Security String Index'. This is a number or an image served from the Swivel server. The request of the Security String Index is similar to a Single Channel image request such as TURing, and appropriate proxies or a NAT needs to be put in place to request this from the Swivel server.

The Security String Index request is in the following format:

For a Swivel virtual or hardware appliance:

 https://IP:8443/proxy/DCIndexImage?username=
 
 Example 
 
 https://196.168.0.35:8443/proxy/DCIndexImage?username=graham

For a Software install:

 http://IP:8080/pinsafe/DCIndexImage?username=
 
 Example 
 
 http://196.168.0.35:8080/pinsafe/DCIndexImage?username=graham


Dual Channel Index Number

Instead of an Image the number can be directly requested and displayed. Replace DCIndexImage with DCIndex

 Example
 
 https://196.168.0.35:8443/proxy/DCIndex?username=graham


Testing for Dual Channel Index

The Security String Index number should be displayed when requested, starting with 00, and then sequentially increasing for each authentication attempt, until the maximum number has been reached, whereby it will start again at 00.

Example 00: 00.JPG

Example 11: 11.JPG

The user should login with their OTC corresponding with the OTC in the format nnnn, example: 2168. The security string index is not required to be entered, but will be accepted if entered in the format nnnn-00, nnnn-01, nnnn-03..,


Token Security String Index

From Swivel version 3.9 onwards, the next expected mobile client security string can be displayed using the TokenIndexImage or TokenIndex


Configuring the Access Device for Token Index

Token Index Image

The access device must be modified to tell the user which security string is required and is known as the 'Security String Index'. This is a number or an image served from the Swivel server. The request of the Security String Index is similar to a Single Channel image request such as Turing, and appropriate proxies or a NAT needs to be put in place to request this from the Swivel server.

The Security String Index request is in the following format:

For a Swivel virtual or hardware appliance and for a Software install (the Swivel does not currently support this feature, and so will not work on 8443/proxy):

 http://IP:8080/pinsafe/DCIndexImage?username=
 
 Example 
 
 http://196.168.0.35:8080/pinsafe/TokenIndexImage?username=graham


Token Index number

Instead of an Image the number can be directly requested and displayed. Replace DCIndexImage with DCIndex

 Example
 
 https://196.168.0.35:8080/pinsafe/TokenIndex?username=graham


Known Problems

Swivel 3.6 and 3.7, The DCIndex and DCIndexImage do not produce a log entry.

Swivel version 3.10, 3.10.1, 3.10.2 the multiple security strings does not work in these versions, the first string works, but the subsequent strings fail. These issues are fixed in 3.10.3 and updated versions of these releases.


Troubleshooting

Check the Swivel logs for any error messages.

Verify that a single Channel image can be received at the login by using the SCImage?username= request.